Verifone, Largest Maker Of Card Payment Terminals, Targeted By Hack

Verifone, the company behind many of the payment systems you see at retailers across the country, is reportedly the latest hack attack victim.

Krebs on Security reports that Verifone, the largest maker of credit and debit card payment terminals, is investigating a breach of its corporate computer networks that may have targeted payment systems at dozens of gas stations.

The company tells Krebs that the possible breach, which began sometime in January, does not affect its payment service networks used by hundreds of retailers.

However, the company says that forensic evidence suggests the cyber attempt was limited to the payment solutions used by approximately two dozen gas stations. The company did not say specifically what gas stations were affected.

“We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational,” the a rep for Verifone tells Krebs.

The spokesperson notes that the company first saw evidence of the intrusion in a “limited portion” of its internal networks.

“Our payment services network was not impacted,” the rep tells Krebs. “We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited.”

Verifone notified staff and contractors of the possible breach through an “urgent” internal email noting that the company was “investigating an IT control matter.”

The email — obtained by Krebs — noted that the company was “taking immediate steps to improve controls” and instructed employees to change their passwords within 24 hours. The company also told employees they would no longer be able to install outside software on their company devices.

While Verifone did not provide additional details on the breach, a source close to the matter tells Krebs that the company sent the internal memo after being notified by Visa and MasterCard.

Krebs reports that the intrusion affected Verifone’s customer support unit in Clearwater, FL, that provides payment terminals for gas and petrol stations, such as pay-at-the-pump credit card processing and physical cash registers inside stores.

A source tells Krebs that Visa and MasterCard were notified that the hackers may have been inside the system as far back as mid-2016.

Analysts tell Krebs that the hack likely targeted filling stations because they are low-hanging fruit, an industry full of unattended, automated terminals.

Additionally, the fueling systems have been among the last to incorporate the supposedly after chip-card systems. In fact, the industry has until 2020 to implement chip-enabled readers at fuel pumps.